WannaCry Ransomware Attack: What Happened and How to Address

Recently, a widespread global ransomware attack has struck hospitals, communication, and other types of companies and government offices around the world, seizing control of affected computers until the victims pay a ransom. This widespread ransomware campaign has affected various organizations with reports of tens of thousands of infections in as many as 99 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly.

The risk posed by this ransomware is that it enumerates any and all of your “user data” files like Word, Excel, PDF, PowerPoint, loose email, pictures, movies, music, and other similar files. Once it finds those files, it encrypts that data on your computer, making it impossible to recover the underlying user data without providing a decryption key. Also, the ransomeware is persistent, meaning that if you create new files on the computer while it’s infected, those will be discovered by the ransomware and encrypted immediately with an encryption key. To get the decryption key, you must pay a ransom in the form of Bitcoin, which provides the threat actors some minor level of anonymity. In this case, the attackers are demanding roughly $300 USD. The threat actors are known to choose amounts that they feel the victim would be able to pay in order to increase their “return on investment.”

The ransomware works by exploiting a vulnerability in Microsoft Windows. The working theory right now is that this ransomware was based off of the “EternalBlue” exploit, which was developed by the U.S. National Security Agency and leaked by the Shadowbrokers on April 14, 2017. Despite the fact that this particular vulnerability had been patched since March 2017 by Microsoft, many Windows users had still not installed this security patch, and all Windows versions preceding Windows 10 are subject to infection.

The spread of the malware was stemmed on Saturday, when a “kill switch” was activated by a researcher who registered a previously unregistered domain to which the malware was making requests. However, multiple sources have reported that a new version of the malware had been deployed, with the kill switch removed. At this time, global malware analysts have not observed any evidence to substantiate those claims.

You should remain diligent and do the following:

Be aware and have a security-minded approach when using any computer. Never click on unsolicited links or open unsolicited attachments in emails, especially from sources you do not already know or trust.

Backup your data! The risk of malware is losing your data. If you perform regular backups, you won’t have to worry about ransomware. Make sure you utilize a backup system that is robust enough to have versioning so that unencrypted versions of your files are available to restore. Make sure your backup system isn’t erasing your unencrypted backups with the encrypted ones!

If your organization is the victim of a ransomware attack, please contact law enforcement immediately.

Contact your FBI Field Office Cyber Task Force immediately to report a ransomware event and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber-crime.

About Seyfarth's eDiscovery and Information Governance Team

Seyfarth Shaw’s eDiscovery and Information Governance (eDIG) attorneys dedicate 100% of their practices to eDiscovery and information governance issues, advising and litigating on these complex matters efficiently, effectively and creatively. Seyfarth is one of the few law firms with a truly dedicated eDiscovery practice group — one that began well before the Federal Rules of Civil Procedure were amended in 2006. We bring experience and talent to craft practical and defensible approaches to meet discovery obligations in litigation to comply with statutory and regulatory rules while managing the costs and the realities of operating a business in today’s economy. We have worked with some of the country’s largest companies on eDiscovery issues in specific major litigation as well as broader strategic approaches to eDiscovery.